V
V
Vladislav Rastrusny2011-12-06 09:23:20
Information Security
Vladislav Rastrusny, 2011-12-06 09:23:20

Is it ethical/legal to post descriptions of unpatched vulnerabilities on Habré?

The situation is this: I found one unpleasant feature in a popular web product. Its operation makes it quite easy to cause a denial of service under some circumstances.

I reported the problem to the developer and received the following response:

After developers' review, we believe this not to be applicable in most real use cases (and have seen none so far); however, we do believe security measures to prevent this could be improved, so we're keeping this open for future consideration.


And now I'm confused. What to do? Post a description in public in order to draw attention to the problem and together find at least a temporary solution? Even though it might cause multiple scriptkiddy attacks on different resources? Or leave everything as it is and wait until someone else does it or until the developer scratches himself?

Answer the question

In order to leave comments, you need to log in

3 answer(s)
@
@sledopit, 2011-12-06
_

After informing the developer and waiting enough time for them to patch the hole, you can do it without any remorse.
If they haven’t bothered to close the hole in a few days, then they don’t really need it.

G
Gregory, 2011-12-06
@difiso

Provided that the answer was received only yesterday, wait a week or two, then ask the developers to patch it up or not. If not, then warn that in a week you will publish data on the hole (a kind of kick to give them). And if they are patched up, then well done and you can publish without a twinge of conscience.
I think this is the most rational course of action.

E
Eternalko, 2011-12-06
@Eternalko

Ethical under the conditions described by the difiso

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question